Become a Partner
Add OffSec to your list of training providers
Partner with us-->
OffSec Wins Seven Global InfoSec Awards during RSA Conference 2024
Read blogEverything related to vulnerability and exploit development, including OffSec course updates and live training.
<p>by Morten Schenk</p> <p>Windows 10 1809 Kernel ASLR Bypass Evolution</p> <p>When it is well-implemented, Kernel Address Space Layout Randomization (KASLR) makes Windows kernel exploitation extremely difficult by making it impractical to obtain the base address of a kernel driver directly. In an attempt to bypass this, researchers have historically focussed on kernel address leaks to retrieve these addresses, either through specific kernel-memory disclosure vulnerabilities or using a kernel-mode read primitive created through a kernel vulnerability like a pool overflow or a write-what-where. The focus of this article is the more generic approach of KASLR bypass using a kernel-mode read primitive.</p> <p>As researchers develop new bypass techniques, Microsoft has consistently mitigated many of the resulting exploit vectors:</p> <ul> <li>A pair of exploitation techniques leveraged bitmaps and palette objects as kernel-mode read and write primitives.</li> </ul> <p><a class="excerpt-read-more" href="https://www.offsec.com/vulndev/development-of-a-new-windows-10-kaslr-bypass-in-one-windbg-command/" title="ReadDevelopment of a new Windows 10 KASLR Bypass (in One WinDBG Command)">… Read more »</a></p>
<p style="text-align: justify">Some time ago, we noticed some security researchers looking for critical vulnerabilities affecting “security” based products (such as antivirus) that can have a damaging impact to enterprise and desktop users. Take a stroll through the Google <a href="https://bugs.chromium.org/p/project-zero/issues/list?can=1&q=owner:taviso@google.com">Project Zero bug tracker</a> to see what we mean.</p>
<p style="text-align: justify;"> A few months ago, we decided to make a new module for our <a href="https://www.offsec.com/information-security-training/advanced-windows-exploitation/">Advanced Windows Exploitation</a> class. After evaluating a few options we chose to work with an Adobe Flash 1day vulnerability originally discovered by the Google Project Zero team. Since we did not have any previous experience with Flash internals, we expected a pretty steep learning curve. </p>
<p style="text-align: justify;">Last week Microsoft released EMET 5.1 to address some compatibility issues and strengthen mitigations to make them more resilient to attacks and bypasses. We, of course, were curious to see if our <a href="https://www.offsec.com/vulndev/disarming-emet-v5-0/" title="Disarming EMET v5.0" target="_blank" rel="noopener noreferrer">EMET 5.0 disarming technique</a> has been addressed by the latest version of the toolkit.</p>
<p style="text-align: justify;">In our previous <a title="Disarming Enhanced Mitigation Experience Toolkit (EMET)" href="https://www.offsec.com/vulndev/disarming-enhanced-mitigation-experience-toolkit-emet/" target="_blank" rel="noopener noreferrer">Disarming Emet 4.x</a> blog post, we demonstrated how to disarm the ROP mitigations introduced in EMET 4.x by abusing a global variable in the <em>.data</em> section located at a static offset. A general overview of the EMET 5 technical preview has been recently published <a title="EMET 5.0 Review" href="http://0xdabbad00.com/2014/02/27/emet-5.0-review/" target="_blank" rel="noopener noreferrer">here</a>. </p>
<p style="text-align: justify;">In a recent engagement, we had the opportunity to audit a leading Antivirus Endpoint Protection solution, where we found a multitude of vulnerabilities. Some of these made it to CERT, while others have been scheduled for review during our upcoming AWE course at Black Hat 2014, Las Vegas. Ironically, the same software that was meant to protect the organization under review was the reason for its compromise.</p>
<p style="text-align: justify;"> With the emergence of recent Internet Explorer Vulnerabilities, we’ve been seeing a trend of <a href="http://support.microsoft.com/kb/2458544" title="EMET" target="_blank" rel="noopener noreferrer">EMET</a> recommendations as a path to increasing <a href="https://www.offsec.com/application-security-assessment/">application security</a>. A layered defense is always helpful as it increases the obstacles in the path of an attacker. However, we were wondering how much does it really benefit? How much harder does an attacker have to work to bypass these additional protections? With that in mind, we started a deep dive into EMET. </p>
<p style="text-align: justify;">In the past few days there has been some online chatter about a new Windows XP/2k3 privilege escalation, well documented by <a title="Fireeye" href="http://www.fireeye.com/blog/technical/cyber-exploits/2013/11/ms-windows-local-privilege-escalation-zero-day-in-the-wild.html" target="_blank" rel="noopener">FireEye</a>. Googling around, we came across a Twitter message which contained a link to a Chinese vulnerability analysis and PoC.</p>
<p style="text-align: justify;">In one of our recent pentests, we discovered an 0day for a custom C application server running on the AIX Operating System. After debugging the crash, we discovered that the bug could lead to remote code execution and since we don’t deal very often with AIX exploitation, we decided to write an exploit for it. The first steps were accomplished pretty quickly and we successfully diverted the execution flow by jumping to a controlled buffer. At this point, we thought we could easily generate some shellcode from MSF and enjoy our remote shell.</p>
<p style="text-align: justify;">On a recent penetration test, we encountered an installation of CA ARCserve Backup on one of the target systems that piqued our interest. Like most “good” enterprise applications, ARCserve has processes that are running as SYSTEM so naturally, we went straight to work looking for vulnerabilities.</p>
<p><a href="/wp-content/uploads/2012/03/msf-elastix-root-nmap.png"></a></p> <p style="text-align: justify;">During a routine scan of new vulnerability reports for the Exploit Database, we came across a single post in <a title="FreePBX RCE Vulnerability Report" href="http://seclists.org/fulldisclosure/2012/Mar/234" target="_blank" rel="noopener noreferrer">full disclosure</a> by Martin Tschirsich, about a Remote Code Execution vulnerability in FreePBX. This vulnerability sounded intriguing, and as usual, required verification in the EDB. At first glance, the vulnerability didn’t jump out at us, especially as we are not familiar with the inner workings of asterisk. After a couple of emails back and forth with Martin, the path to code execution became clearer:</p> <p><a class="excerpt-read-more" href="https://www.offsec.com/vulndev/freepbx-exploit-phone-home/" title="ReadFreePBX Exploit Phone Home">… Read more »</a></p>
<p style="text-align: justify;">Every patch Tuesday, we, like many in the security industry, love to analyze the released patches and see if any of them can lead to the development of a working exploit. Recently, the <a title="MS11-080" href="https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2011/ms11-080?redirectedfrom=MSDN" target="_blank" rel="noopener noreferrer">MS11-080</a> advisory caught our attention as it afforded us the opportunity to play in the kernel and try to get a working privilege escalation exploit out of it.</p>